Knut Hellebø wrote: > Regards, > I have two questions regarding Nessus scanning across firewalls. We have > experienced network congestion/slowness when running Nessus inside a > firewall protected network against hosts on the "other side". We use > Nessus 3.0.4 and did not enable the nmap wrapper, ie using Nessus > internal port scanner to scan all ports (65535). We limited checks to 5 > simultaneous hosts, 5 simultaneous checks. We also turned on throttle > scan and network congestion detection. Even though these precautions > were taken, the network suffered. Apparently this was caused by ports > being held open for too long during the scanning period, making the > firewall drop old connections. Unfortunately I cannot reveal further > details. Is Nessus 3 this intrusive ? What can be done to further limit > network impact when testing across firewalls ?
The question may be how well your firewall can handle separate connections attempts from a node inside your network to the outside. If you are scanning multiple hosts "outside" your firewall and doing network address translation, your firewall has to track these connections. 65k ports for each scanned host can quickly fill up a low end firewall's NAT list. Also if your firewall is "logging" successful connections, you may have a bottle neck there as each outbound attempt may incur a write to a hard drive. Try scanning less ports. Try putting your Nessus scanner outside the firewall. Read this Tenable blog post: Using Nessus to Scan a Host Behind a Firewall http://blog.tenablesecurity.com/2006/08/using_nessus_to.html Ron Gula, CTO Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
